[00:05.880 --> 00:14.920]  All right, hey, I'm Kwadi. I'm a weird guy, but I have a foot in two different worlds. My day job
[00:16.220 --> 00:19.820]  is I'm an ER doc, so I practice in the emergency department.
[00:19.820 --> 00:25.980]  I also do a lot of research in the security space, so where medicine and security collide.
[00:27.060 --> 00:33.300]  Enough of that. Follow me on Twitter if you want. Next slide, please.
[00:39.700 --> 00:51.560]  All right, so, you know, this has been my life until things in my neck of the woods kicked up
[00:51.560 --> 00:56.780]  for COVID. So, you know, we talked about how toilet paper is worth gold. There was this
[00:56.780 --> 01:04.420]  crazy-ass Netflix show. But things have changed, you know, and the pandemic started off about
[01:04.420 --> 01:08.660]  tigers and toilet paper, but it's quickly gotten out of hand, and I promise this will
[01:08.660 --> 01:19.140]  become relevant in a little bit. Next slide. You know, one of the biggest disappointments
[01:19.140 --> 01:23.860]  in my life in COVID so far has been my inability to eat burritos like I used to before. I'm sure
[01:23.860 --> 01:30.180]  many of you out there are experiencing a similar problem. I haven't figured out what the problem
[01:30.180 --> 01:38.120]  is. I will say coming from San Diego, DCA 58619, we have the best burritos in America.
[01:38.120 --> 01:54.250]  And so this is a big bummer. Next slide. This is my day job. So this isn't a shot from my ED,
[01:54.250 --> 01:58.610]  my emergency department, but it's pretty much any of the emergency departments across the country
[01:58.610 --> 02:09.430]  right now. And this has a lot to do with the problems of air crowding. And we splashed COVID
[02:09.430 --> 02:15.030]  in on that, and now we have basically a greatly diminished ability to take care of patients,
[02:15.030 --> 02:20.890]  and generally a crazy shift every time I go into work, and we're just seeing patients left and
[02:20.890 --> 02:32.460]  right. Next slide. So we built these tents, and this is how crazy it was. So we were so worried
[02:32.460 --> 02:39.160]  about patients overflowing out into the parking lot, et cetera, that we built these emergency
[02:39.160 --> 02:47.320]  tents. And all these hospitals across the country started as quickly as possible deploying any
[02:47.320 --> 02:55.320]  connected technology they could to extend the capabilities of a hospital into parking lots.
[02:55.880 --> 03:02.960]  And generally speaking, across the country, this was the right thing to do. We were so worried
[03:02.960 --> 03:08.040]  about running out of ventilators, et cetera, that there's a mad rush to plug everything
[03:08.040 --> 03:19.120]  in onto the internet. Next slide. Just give me a favor out in the crowd,
[03:19.120 --> 03:23.360]  like throw out some hearts or something, if you've been seeing your doctor by Zoom.
[03:24.100 --> 03:28.640]  Oh yeah, we got some people out there. Isn't that the weirdest thing? I don't know. I'm also
[03:28.640 --> 03:34.120]  kind of curious how many people out there really would prefer this. But all of a sudden, we went
[03:34.120 --> 03:38.840]  from this world where in emergency medicine, where we take care of heart attacks and gunshot wounds
[03:38.840 --> 03:45.080]  and appendicitis, and sometimes even like just toenails, you know, hangnails. All of a sudden,
[03:45.080 --> 03:50.940]  we had this capability to do telemedicine. We were worried about what happens if our faculty
[03:50.940 --> 03:56.500]  gets sick? What happens if all these ER docs and nurses get COVID and they can't come into work?
[03:56.500 --> 03:59.740]  But the patients are just going to keep coming. So we thought to ourselves,
[03:59.740 --> 04:03.580]  you know, we don't normally do telemedicine in emergency medicine. That's for like primary care
[04:03.580 --> 04:08.300]  doc or your crazy dermatologist or whatever. But in emergency medicine for the first time,
[04:11.700 --> 04:18.060]  from our homes when we get COVID, because otherwise those are going to be lost resources
[04:18.060 --> 04:21.520]  and patients aren't going to see doctors. So it'd be better to see them over an iPad
[04:22.520 --> 04:25.920]  than not see a doctor at all. Next slide.
[04:32.980 --> 04:37.660]  And so all of this is kind of my day job. But for the longest time I've been a hacker,
[04:37.660 --> 04:42.620]  just like you guys out there. This is me playing OpenCTF. Shoot, I must have been like
[04:42.620 --> 04:49.740]  DEF CON 14 or 15. No, I was probably like 16. And so when you grow up a hacker, and all of a sudden
[04:49.740 --> 04:56.340]  you find yourself in healthcare, and you can't help but think about how easy it would be to
[04:56.340 --> 05:01.140]  socially engineer people in your space, or how insecure some of these systems are,
[05:01.140 --> 05:06.900]  or that you're using medical technology with legacy operating systems, machines that have
[05:06.900 --> 05:13.280]  been unpatched for over a decade. These types of things are realities in a lot of places in
[05:13.280 --> 05:20.860]  the world, is that the race to digitize medicine in the race to increase electronic health records
[05:20.860 --> 05:26.500]  and a variety of other things, what we had at the end of the day was hyper connectivity without
[05:26.500 --> 05:33.380]  the commensurate attention to security. And it's not one of those things that people pay a lot of
[05:33.380 --> 05:40.140]  attention to, but primarily because it's expensive. There's a lot of other things going on in the
[05:40.140 --> 05:46.200]  space like COVID, for example. And then also when you buy a medical device, there's a decent chance
[05:46.200 --> 05:51.080]  that that medical device is going to be in production for years and years and years, right?
[05:51.080 --> 05:57.440]  So if you're at a bank or another company, you might have a much quicker hardware and software
[05:58.040 --> 06:03.460]  lifecycle, as opposed to something like an MRI machine that costs over a million dollars for a
[06:03.460 --> 06:08.480]  hospital. And when they buy one, they literally have to knock down walls in their hospital
[06:08.480 --> 06:14.320]  to put it in. And that device is going to be in production for 10 years. Well, if it took
[06:14.320 --> 06:19.680]  five years to develop it, what operating system do you think it's using its very first day it's
[06:19.680 --> 06:24.080]  on market? It's going to be the operating system from five years ago. And so what we have been
[06:24.080 --> 06:31.700]  seeing, unfortunately, a lot of time is these legacy machines are, sorry, our medical devices
[06:31.700 --> 06:38.200]  are obsolete and using basically legacy operating systems while they're still brand new. Next slide.
[06:46.480 --> 06:50.460]  I do some research. So I actually have to publish and do a bunch of stuff. So one
[06:50.460 --> 06:54.880]  piece of research we did that turned into a DEF CON Talk at 20 was
[06:55.340 --> 06:59.600]  we looked at the 911 system. So I studied a lot of out-of-hospital cardiac arrest,
[06:59.600 --> 07:04.880]  so basically what happens if your heart stops right before we do shocks and CPR.
[07:05.040 --> 07:09.860]  And I listened to thousands of 911 calls. And after I listened to so many of them,
[07:09.860 --> 07:15.020]  there were some failures I noticed. And one of them were technical failures. So for example,
[07:15.020 --> 07:19.720]  someone would pop up on their phone, try to get some location service to identify where they were,
[07:19.720 --> 07:24.220]  because a dispatcher on the 911 call would be asking for their location, and they would say,
[07:24.220 --> 07:28.460]  you know, I'm here. But in actuality, they were half a mile away because of bad
[07:28.460 --> 07:33.520]  location technology. Or if they were using cell phone triangulation, for example, to
[07:33.520 --> 07:38.200]  identify where a patient in distress was, we can tell based on, you know, there's a whole
[07:38.200 --> 07:43.280]  bunch of reasons why that technology could fail. And one of the things I realized was, like,
[07:43.280 --> 07:48.460]  what is the security and technical underpinnings of a 911 system, you know, a system that so many
[07:48.460 --> 07:53.940]  patients rely on every single day in the most dire circumstances to make sure that they live.
[07:53.940 --> 07:59.080]  And so we did some research over a year that talks up on YouTube. I think it's Defcon 20 or 22.
[07:59.180 --> 08:05.300]  I can't remember. But the talk just goes through basically how insecure and antiquated our 911
[08:05.300 --> 08:09.460]  infrastructure is. If you're an old phone freaker, you're going to get a kick out of the top,
[08:09.460 --> 08:14.120]  because of just how old the technology is that they were using back then.
[08:14.120 --> 08:20.480]  And then we did some stuff a couple years ago looking at how secure are your laboratory
[08:20.480 --> 08:25.040]  information systems? You know, when you get your labs back from a doctor, you go to your doctor,
[08:25.040 --> 08:32.720]  they order a bunch of blood work or an x-ray. And how secure, how confident are you in the
[08:32.720 --> 08:37.540]  integrity of that data? So we looked at these things called laboratory information systems,
[08:37.540 --> 08:44.100]  and we were able to basically show it's relatively easy to perform some very trivial man-in-the-middle
[08:44.100 --> 08:48.840]  attacks or person-in-the-middle attacks, and change laboratory values in patients in the
[08:48.840 --> 08:53.220]  hospital. So what does that mean? You go into the hospital, you really just ate a bad burrito,
[08:53.220 --> 08:57.620]  and that's why your stomach's hurting. I changed your blood work to make it look like you have
[08:59.380 --> 09:03.200]  diabetic ketoacidosis, you know, an emergency condition. The doctor looks at your labs,
[09:03.200 --> 09:06.540]  and she said, oh, wow, it looks like you're really sick, when in actuality, you're not.
[09:06.540 --> 09:10.700]  We changed the values, and they give you a treatment you don't need. And in that case,
[09:10.700 --> 09:14.760]  it would be something like insulin. If you give someone insulin when they don't need it,
[09:14.760 --> 09:19.760]  they can die. And so we were able to show you can change all sorts of things, primarily because of
[09:19.760 --> 09:26.200]  this use of an old, antiquated protocol called HL7, or Health Data 7. We can talk more about
[09:26.200 --> 09:32.060]  that later, and I'll post in the Discord some links to that stuff if you're interested. Next
[09:32.060 --> 09:42.750]  slide. All right, I run the Do No Harm panel at DEF CON every year. Please come check us out.
[09:42.750 --> 09:46.970]  I run another conference, too, called the CyberMed. I know, I'm not drinking right now,
[09:46.970 --> 09:51.590]  and I said cyber like 15 times. I'm sorry. Forgive me. Next slide.
[09:57.650 --> 10:02.610]  All right, so this is what we're going to talk about today. Wait, what? I'm here at DEF CON
[10:02.610 --> 10:07.550]  Groups Allspace VR. Why the hell are we talking about this old-ass picture? I don't see any
[10:07.550 --> 10:13.850]  badge life in here. I don't see any alcohol and debauchery of Hacker Jeopardy.
[10:14.470 --> 10:20.870]  This is the most important thing to me, and this is my favorite painting. It's called The Doctor,
[10:20.870 --> 10:25.830]  and it was painted in the late 1800s. And the reason it's my favorite painting is it reminds
[10:25.830 --> 10:30.950]  me why I go to work every day. Now, quickly, let's just take a look. The top right, we get a mom
[10:30.950 --> 10:36.710]  and a dad. At least, that's what I think they are. And mother has her face down on the table,
[10:36.710 --> 10:42.870]  and dad laid on mine, and she's weeping. Dad looks concerned. The left side of the painting,
[10:42.870 --> 10:49.610]  we see the title of this painting, which is The Doctor, looking concerned over a child,
[10:49.610 --> 10:53.550]  the focal point of the entire painting, and that's the patient. I have been that doctor
[10:53.550 --> 10:59.870]  before. I know what that doctor is thinking, and I've tried every treatment under the sun. I've
[10:59.870 --> 11:03.450]  tried every medicine I know. I've tried every ounce of training I know, and I don't know if
[11:03.450 --> 11:07.010]  this patient is going to make it through. Next slide.
[11:15.380 --> 11:20.600]  This is health care today. So, that was the health care of the late 1800s. This is the
[11:20.600 --> 11:25.000]  health care of today. It has something very similar. It has the patient in the middle,
[11:25.000 --> 11:30.080]  but I want to draw your attention to everything around the patient. You see all those blinking
[11:30.080 --> 11:38.880]  boxes? You see all those wires and cables? Imagine what the wireless is around the station
[11:38.880 --> 11:46.400]  at that exact moment. This is modern health care. You cannot engage in health care in most
[11:46.400 --> 11:53.540]  hospitals in the United States without facing this reality that everything's connected.
[11:53.660 --> 11:59.500]  A lot of it is insecure. We're doing our best, but we have a long way to go. Next slide.
[12:08.840 --> 12:14.680]  So, we screwed this up in medicine a long time. So, these are two publications. One was called
[12:14.680 --> 12:19.220]  Two Heirs Human. This is about the millennial time, and the other one was Crossing the Quality
[12:19.220 --> 12:24.600]  Chasm. And we talked about basically, let's look at data in medicine. Does this medicine work
[12:24.600 --> 12:28.800]  compared to this one? Does this treatment work compared to this one? We want doctors to use
[12:28.800 --> 12:34.460]  evidence-based medicine, but we also want to recognize that a lot of the time, medicines,
[12:34.460 --> 12:39.680]  health care, doctors, nurses, the infrastructure, all of that actually hurts patients sometimes
[12:39.680 --> 12:45.840]  because we make mistakes. We give someone medicine that they're allergic to. Can you guys
[12:45.840 --> 12:56.750]  draw some hearts if the slides are down? Yeah, it looks like they're down. ATX, can we reload those?
[13:26.360 --> 13:29.280]  I'll just kind of keep going a little bit. So, basically,
[13:31.320 --> 13:34.800]  there have been plenty of examples of where in medicine
[13:35.760 --> 13:41.000]  we've actually hurt patients when we went to help them. One of the examples is in about the
[13:41.540 --> 13:47.180]  20s or 30s, you were almost guaranteed to die if you were a premature infant. The reason was that
[13:47.180 --> 13:52.240]  premature infants have very immature lungs. They can't breathe. And it takes a long time while
[13:52.240 --> 13:57.160]  they're in the womb for those lungs to mature. And for the first time ever, when we had better
[13:57.160 --> 14:05.120]  plastics, and primarily when we had the power to concentrate and store oxygen, we were able
[14:05.120 --> 14:09.860]  for the first time to allow premature babies to live. So, we had these little incubators,
[14:09.860 --> 14:13.960]  and we were able to keep babies warm. We were able to give them oxygen because their lungs
[14:13.960 --> 14:21.700]  weren't very good. Please tell me, I want in the audience, I want you to throw up a
[14:21.700 --> 14:27.160]  applause if you think you should give the patient 100% oxygen. Let's pump as much oxygen as possible
[14:27.160 --> 14:33.560]  into that little incubator. Or if you think we should do 50% oxygen, throw up some hearts. So,
[14:33.560 --> 14:40.200]  hearts for 50%. Okay, we got 50%. Does anyone want to do 100% oxygen? Those lungs are pretty
[14:40.200 --> 14:47.200]  immature. Throw up some applause. No? So, basically, we answer the question, right? Babies were living
[14:47.200 --> 14:50.180]  for the first time. I'm going to pick what concentration of oxygen we're going to put
[14:50.180 --> 14:57.240]  in their incubator. And we went with 100. And then these babies were living. A big percentage
[14:57.240 --> 15:02.340]  of them were actually turning out blind. This is the cited reason why Stevie Wonder is blind,
[15:02.340 --> 15:07.400]  because he had retinopathy of prematurity. It actually was the oxygen that was causing the
[15:07.400 --> 15:11.320]  blindness. We didn't know if it was premature babies are more likely to be blind and now
[15:11.320 --> 15:15.740]  they're living. Or it actually ended up after we studied tens of thousands of patients that
[15:15.740 --> 15:21.560]  the oxygen was what was causing these patients to go blind. And so we went from going 100% oxygen
[15:21.560 --> 15:27.880]  to 50% oxygen. This is one example of how treatment we use actually hurts the patient.
[15:27.880 --> 15:33.440]  Another one is thalidomide. There was a nausea medication marketed mostly in Germany in the
[15:33.440 --> 15:40.700]  40s for nausea. It was a drug called thalidomide. Well, for a lot of reasons, a lot of them,
[15:40.700 --> 15:45.220]  you know, inexcusable. It was never tested in pregnant persons. So what does that mean?
[15:45.280 --> 15:50.860]  But pregnant persons get nausea and they vomit all the time. So they wanted to use this drug
[15:50.860 --> 15:56.620]  called thalidomide. They gave it to pregnant persons and basically caused a lot of death.
[15:56.620 --> 16:03.180]  As a consequence of poor research practices. All right, cool. We're back. This guy is like
[16:03.820 --> 16:17.300]  ghosting out his iPad. Please go down like three or four slides. All right, other way.
[16:19.160 --> 16:28.120]  Keep going, keep going. No, you're going the wrong way. No,
[16:28.120 --> 16:32.940]  you're going the wrong way. Yeah, yeah, there you go. The other way.
[16:33.000 --> 16:42.720]  Keep going, keep going. Keep going, keep going.
[16:58.260 --> 17:06.100]  Okay, here's thalidomide. Great. So this is, okay, now we have this potential new failure.
[17:06.100 --> 17:11.340]  Now I'm going to start off rapidly by asking myself, wait a minute, you're telling me that
[17:11.340 --> 17:20.760]  the cybers and these malicious cybercriminals, are they hurting patients? No. If we make it to
[17:20.760 --> 17:25.000]  the end of this talk, I'll give you a little, a few slides on why I think that's the case.
[17:25.000 --> 17:31.160]  But what do we know about how security of medical devices and critical hospital infrastructure can
[17:31.160 --> 17:37.320]  affect patients? All right, this is a slide about a paper I published over 10 years ago
[17:38.120 --> 17:44.380]  by Kevin Foote's group. This was before Barnaby Jack, and they basically talked about how
[17:45.520 --> 17:54.860]  easy it was to wirelessly attack and implant. These are devices that can implant into a person's
[17:54.860 --> 18:01.800]  body and wires come from this implant and go into their heart. There was some concern that they
[18:01.800 --> 18:07.540]  were able to induce shock. So you were watching TV, then you watch any of those shows about the
[18:07.540 --> 18:11.320]  emergency department, you know, and they shock someone back to life. Well, these devices can
[18:11.320 --> 18:16.380]  shock. And if you get shocked and you don't need to, and it happens to shock you at the wrong time,
[18:16.380 --> 18:19.200]  you can actually. Next slide.
[18:35.600 --> 18:44.200]  These are some great research done by Jay Radcliffe, who basically reverse-engineered his own insulin pump.
[18:44.220 --> 18:50.260]  He's a hacker himself, and was able to show how easy it would be to deliver a potentially deadly
[18:50.260 --> 18:55.920]  dose of insulin. So if you don't know that, if you get insulin and you're diabetic and it's at the
[18:55.920 --> 19:00.780]  right level, great, you live. But if you don't need insulin and they give it to you, it can actually kill you.
[19:00.800 --> 19:14.000]  Next slide. Some more pacemaker research. And before Barnaby died, he was going to give a talk
[19:14.000 --> 19:18.180]  about hacking pacemakers. Rest in peace, Barnaby. Next slide.
[19:23.420 --> 19:29.800]  Not just medical devices, this is critical hospital infrastructure. If you're interested in this,
[19:29.800 --> 19:36.380]  this is a hospital for about three or four days. A really interesting story. I recommend you read
[19:36.380 --> 19:43.480]  kind of what happened with that. Next slide. Devastating to, you know, hospital operations,
[19:43.480 --> 19:46.540]  essentially put a hospital offline for three days while in hospital.
[19:48.260 --> 19:53.400]  We had some infusion pump stuff, though, you know, it's not always the obvious stuff like an insulin
[19:53.400 --> 19:59.620]  pump or a pacemaker. There's a lot of connected medical technology that is vulnerable. This
[19:59.800 --> 20:05.560]  are infusion pumps. So you go to the hospital and you get an IV. This is a, you know, bag of medicine
[20:05.560 --> 20:12.000]  and a tube that goes into an IV into your arm. Sometimes it's just, you know, saline, essentially
[20:12.000 --> 20:18.180]  water with some salts to help hydrate you. But sometimes we deliver medications through your IV.
[20:18.500 --> 20:22.560]  And sometimes we have to give you those medications over hours. And so we have to control the rate of
[20:22.560 --> 20:26.500]  medication. If you get a little medication, it doesn't help. If you get too much medication,
[20:26.500 --> 20:31.740]  it can kill you. How do we control the rate of medicine going into a patient? We use these
[20:31.740 --> 20:39.660]  things called infusion pumps. They're basically mechanical pumps attached to embedded systems
[20:39.660 --> 20:44.840]  that can be able to look at software, drug libraries, and control the way of medications.
[20:44.840 --> 20:48.920]  Well, you know, I don't know, 10 years, 15 years ago, they were like, you know what the next great
[20:48.920 --> 20:55.060]  generation of these is going to be? Let's put them on Wi-Fi so we can connect them to the network for,
[20:55.060 --> 20:59.740]  what ended up happening was, and this is the most widely publicized example of this,
[20:59.740 --> 21:04.040]  there are some significantly scary vulnerabilities associated with infusion pumps,
[21:04.040 --> 21:07.140]  where they could give you way too much medicine, way too little medication.
[21:07.740 --> 21:12.560]  Primarily vulnerabilities involving really poor or little authentication practices. Next slide,
[21:12.560 --> 21:28.080]  please. Okay. Well, if you're into this, this is such a weird story. So some security researchers,
[21:28.080 --> 21:33.140]  instead of finding, they found some vulnerabilities in the pacemaker. Instead of going to the
[21:33.140 --> 21:38.760]  manufacturer and engaging in, you know, disclosure, coordinated disclosure, they went to like a hedge,
[21:38.760 --> 21:42.820]  like a pseudo hedge fund. And they said, listen, we're going to release all this research about
[21:42.820 --> 21:48.880]  how these pacemakers are FUBAR. We want to short the stock with you. And that was how they made a
[21:48.880 --> 21:53.220]  lot of money, at least temporarily. The stock bounced back and this thing's getting litigated
[21:53.220 --> 21:58.580]  as hell. But long story short, it's a really interesting kind of change in the research
[21:58.580 --> 22:13.110]  landscape. Next slide. I mean, sure, throw some hearts out, throw some applause out,
[22:13.110 --> 22:17.110]  whatever it is. Let me know if you're out there, if you heard about all the ransomware attacks
[22:17.110 --> 22:22.130]  in hospitals. Cool. All right. Now, do it if you're responsible for one.
[22:23.370 --> 22:25.610]  Ah, I almost got you there.
[22:28.250 --> 22:32.490]  Listen, ransomware is in hospitals. And when COVID started, there was, I remember,
[22:32.490 --> 22:37.030]  I guess in the news headlines, I was like, a bunch of ransomware crews were going to come
[22:37.030 --> 22:42.890]  together and say, we're not going to get hospitals during COVID. A couple of big ones. And science,
[22:42.890 --> 22:47.610]  you know, of course, ransomware is a plague. It's always going around. There's been a couple
[22:47.610 --> 22:54.110]  hospitals recently. But largely speaking, it's been sort of research infrastructure. So
[22:54.730 --> 23:00.650]  there's some news stories recently of state actors going after COVID research or ransom workers going
[23:00.650 --> 23:07.650]  after academic research establishments. But of course, we can have a conversation about healthcare
[23:08.250 --> 23:13.650]  and hacking without talking about Walmart pride. It's so crazy. When this happened,
[23:13.650 --> 23:16.730]  I remember thinking to myself, like, whoa, I don't know if we're ever going to have anything
[23:16.730 --> 23:24.270]  like this again. It took out over 30% of the United Kingdom's National Health Service's entire
[23:24.270 --> 23:30.350]  infrastructure. What does that mean? Imagine if malware hit the US and took out one out of every
[23:30.350 --> 23:35.270]  three hospitals across the country. Think about how disruptive that would be to clinical care.
[23:35.270 --> 23:40.630]  Think about the patients that are going to be having strokes and heart attacks and are having
[23:40.630 --> 23:45.470]  life threatening infections. Imagine how impactful that could have been.
[23:46.170 --> 23:51.390]  And so that's really changed a lot of things and catalyzed a lot of positive actions. We're looking
[23:51.390 --> 23:56.010]  at the security of these devices in a better light. The FDA has done a bunch of great work
[23:56.010 --> 24:01.530]  talking about how we can make these devices more secure. When they come to market, they're not
[24:01.530 --> 24:07.210]  plagued with a lot of the problems that we've been dealing with for the last 15 years. Next slide.
[24:27.050 --> 24:33.370]  All right. And then check this out. What's crazy is the FDA actually recalled a medical device,
[24:33.370 --> 24:40.210]  not because the pump was prone to break or because the wiring that goes into it was likely to fray
[24:40.210 --> 24:45.010]  and cause electrocutions, which we do for all sorts of other medical devices on a regular interval.
[24:45.010 --> 24:51.770]  The first time ever, we actually had a recall because of a nasty vulnerability that could,
[24:51.770 --> 24:53.850]  in this article, as mentioned, lead to death. So we're going to have to do something about that.
[24:53.850 --> 24:58.490]  Potential patient safety concerns. And so for the first time ever, we had the FDA saying, hey,
[24:58.490 --> 25:02.810]  we can't tolerate this. We're going to actually recall the device. And then you got there and be
[25:02.810 --> 25:07.670]  like, wait a minute. Is that the first? Why isn't this happening all the time? It's a really big
[25:07.670 --> 25:14.990]  deal to recall a device. Patients might not trust devices after you recall them. So if you're a
[25:15.470 --> 25:20.270]  diabetic and you've been told that some hacker can kill you by hacking your insulin pump,
[25:20.270 --> 25:25.130]  you may not add an insulin pump next. If it's been recalled, you might not trust the technology.
[25:25.590 --> 25:32.290]  And sometimes these patients will actually suffer from their lack of trust in other devices that
[25:32.290 --> 25:35.990]  might be more secure, just because they don't know the difference between security in one
[25:35.990 --> 25:42.210]  insulin pump versus the other. So a recall is a really big deal. It took a lot of guts for
[25:42.210 --> 25:46.090]  the FDA to do this, and I really want to applaud them for that. Next slide.
[25:53.280 --> 25:58.540]  So I hope you can see, like, I think of this picture that we're pretty fragile.
[25:58.540 --> 26:06.220]  There's thousands and thousands of devices on our hospital network. Hundreds of workstations,
[26:06.220 --> 26:12.220]  depending on how big the organization is. And in 2017, the National Health and Human Services
[26:12.220 --> 26:19.600]  issued this report. They had this big task force. They got a bunch of famous people on this group,
[26:19.600 --> 26:24.260]  including some hackers, and they basically came out to the end of this report basically saying,
[26:24.260 --> 26:30.000]  you know, how scary the vulnerabilities of the healthcare system were. And one of the things
[26:30.000 --> 26:34.920]  they pointed out was they thought a majority of hospitals, again, sorry, this is like US-focused
[26:35.200 --> 26:39.510]  a little bit, but they thought a majority of hospitals in the United States lacked even a
[26:40.220 --> 26:44.210]  single full-time security professional on staff. There are some parts or some
[26:44.990 --> 26:50.470]  classrooms. You think that's crazy? You think that your hospital system doesn't have a full-time
[26:50.470 --> 26:55.290]  security professional on staff? Yeah, throw somebody up if you think that's wild. Yeah,
[26:55.290 --> 26:59.630]  that's insane. You know, that wouldn't be tolerated at a bank. It wouldn't be tolerated
[26:59.630 --> 27:05.390]  at a lot of other institutions, likely. And yet those are patients' lives that are at risk,
[27:05.390 --> 27:09.650]  right? These are institutions taking care of kids, potentially, and yet they're not going to have
[27:09.650 --> 27:15.570]  the expertise that they need. It's hard, you know, they can't often pay the salaries.
[27:16.830 --> 27:24.070]  It's really frustrating for a lot of hackers to work for healthcare because they don't get the
[27:24.070 --> 27:29.570]  freedom to fix a lot of the issues they find, and it's all absolutely valid. But if you're looking
[27:29.570 --> 27:32.710]  to make a difference, and you're looking to make a career change, and you want to put your skills
[27:32.710 --> 27:36.690]  to good use, I'd really encourage you to check out working for a healthcare organization.
[27:36.690 --> 27:39.190]  It's a challenging environment, and you have to deal with a lot of these issues,
[27:39.190 --> 27:42.890]  but you're also going to have a little trial by fire, because I think we're also seeing pretty
[27:44.110 --> 27:49.590]  well-documented and publicized campaigns of state hackers going after healthcare.
[27:49.790 --> 28:00.170]  Next slide. All right, I'm going to let you guys read this later. Basically,
[28:00.170 --> 28:05.490]  this says software is what powers modern healthcare. There's so much of it now,
[28:05.490 --> 28:09.170]  and if we don't pay attention to it, we don't secure it, it's going to be a problem. If hackers
[28:09.170 --> 28:16.030]  don't step up to help secure patients, the devices that they use, it's not just going to be
[28:16.030 --> 28:19.550]  random death, but medical death that we're dealing with. It's going to be a much bigger
[28:19.550 --> 28:33.900]  number of consequences. Next slide. Next slide. So I already kind of told you, I can't tell you
[28:34.060 --> 28:40.640]  a story. I can't show you a news clipping of someone who died because their pacemaker was
[28:40.640 --> 28:46.340]  hacked. But I'll just tell you, and this slide doesn't translate well, because we cut it into
[28:46.340 --> 28:52.760]  images. But let's imagine you have a diffusion pump. It's running embedded Windows. It gets
[28:52.760 --> 28:59.380]  infected. It's on the network, on the Wi-Fi, it's exposed. It gets owned by some crypto mining
[28:59.380 --> 29:03.120]  malware. And as a consequence of this, the pump...
[29:13.820 --> 29:19.040]  I told you, I think that this is likely far more relevant than we think, but we lack the
[29:19.040 --> 29:25.040]  sophistication to actually measure it, to go out there and find evidence of it, because we're not
[29:25.040 --> 29:31.300]  even looking. So this pump's malfunctioning. Who in a hospital is going to even recognize this
[29:31.300 --> 29:35.160]  malfunction? Well, the best person is probably going to be the nurse, the person putting
[29:35.160 --> 29:42.440]  medications into the pump, actually interfacing with the pump. So nurses are overworked,
[29:42.440 --> 29:48.560]  amazing clinicians. I can't do my job as a doctor without them. I will say a lot of nurses would
[29:48.560 --> 29:52.380]  not recognize this, because I've asked them. It's not any fault of their own. It's that they're
[29:52.380 --> 29:57.060]  busy. They have four other patients in the ICU. COVID's happening. They're not necessarily
[29:57.060 --> 30:01.700]  looking at that device to make sure that the right number of drips are coming out of their
[30:01.700 --> 30:08.960]  IV bag. They trust the technology, and that's what I've heard over and over again from nurses
[30:08.960 --> 30:15.500]  in the field, is that they are trained to trust these pumps. In fact, the pumps they're taught
[30:15.500 --> 30:21.680]  are more safe than human beings doing it. Human beings controlling the rate of medication going
[30:21.680 --> 30:28.840]  into a patient by titrating some little dial is far more prone to mistakes, either underdosing
[30:29.640 --> 30:34.500]  a patient, than infusion pumps. So they're taught to trust it. Let's say you just have a crazy day,
[30:34.500 --> 30:40.720]  and the nurse picks up on this malfunctioning device. What are they going to do? Well,
[30:40.720 --> 30:44.920]  they're going to call bioengineering. This is a part of the hospital. These are people that
[30:44.920 --> 30:48.420]  take care of medical devices, and they're going to come and replace it. Guess what?
[30:48.420 --> 30:53.560]  They're going to replace it with the exact same vulnerable model that's likely unpatched,
[30:53.560 --> 31:00.040]  and it's going to be pretty quickly infected with the exact same crypto mining malware.
[31:00.280 --> 31:04.880]  But that aside, they're going to take that infected device, I imagine, in the basement.
[31:04.880 --> 31:09.040]  You know, this is kind of a joke I say. I think all bioengineers live in the basement.
[31:09.040 --> 31:13.600]  Not trolls, but that's just in my mind where this device is going. They're going to do some
[31:13.600 --> 31:19.220]  very basic troubleshooting on it. Throw up a heart or a hand or something, whatever,
[31:19.220 --> 31:22.180]  if you think that they're going to do forensics on this device.
[31:23.560 --> 31:27.440]  Oh yeah, you get the pessimists just like me. Yeah, of course they're not going to. They're
[31:27.440 --> 31:32.960]  not security experts. They know about clinical devices. They know about that. They don't know
[31:32.960 --> 31:37.520]  about security. If the hospital is lucky to have any security folks, guess what? They live over
[31:37.520 --> 31:42.380]  in IT, and they're in some closet, usually off campus, where all the cool people hang out like
[31:42.380 --> 31:48.860]  us. But they aren't going to even know that the device is likely infected. Well, if they can't
[31:48.860 --> 31:53.300]  fix it, you know, if they flash it and it's still acting up, who are they going to send it to?
[31:53.300 --> 31:58.120]  It's a device manufacturer. Ask a bunch of device manufacturers. When you get a malfunctioning
[31:58.120 --> 32:02.620]  medical device back in from a hospital, do you even consider the possibility that it's
[32:02.620 --> 32:07.940]  infected with malware? And guess what? Raise your hand if you think even one of them said they do
[32:07.940 --> 32:14.360]  forensics on malfunctioning medical devices. No, they don't. They lack that expertise too.
[32:14.360 --> 32:21.800]  As a consequence, they're just not going to look for it. The problem we're not even looking for,
[32:21.800 --> 32:26.080]  and it's perfectly designed for us to not have anyone even ask the question,
[32:26.080 --> 32:34.980]  let alone the skill set, for us to find. I think the next slide, I think that was a
[32:34.980 --> 32:40.980]  move along signal. What we don't want to do is have a crisis of confidence. You know,
[32:40.980 --> 32:46.000]  we don't want patients to not trust medical technology or to trust healthcare. And that's
[32:46.000 --> 32:52.820]  a big problem. You can go back to that slide of the angry old guy. Eric touched upon this,
[32:52.820 --> 33:00.400]  which is it's important for us to be trusting some of these systems because we don't want people
[33:00.400 --> 33:04.800]  having heart attacks and strokes saying, I don't want to go to that hospital. You know, I heard
[33:04.800 --> 33:10.880]  they had a breach of patient records last week, and I don't want to be hacked. And well, they're
[33:10.880 --> 33:17.760]  having a heart attack, right? If we don't do a good job, if hackers don't come and help healthcare
[33:17.760 --> 33:23.940]  do a better job, teach them what they're doing wrong for this infrastructure, we face this very
[33:23.940 --> 33:28.160]  real possibility that either the infrastructure is not just not even going to work at all in the
[33:28.160 --> 33:34.600]  case of anonymously dossing Boston Children's, or it might work and it might actually be
[33:34.600 --> 33:39.940]  somewhat robust and secure, but patients still don't trust because they're reading these news
[33:39.940 --> 33:45.840]  headlines in the press. So let me go forward a few slides.
[33:48.890 --> 33:55.390]  Right at the half hour mark, press something up if you want me to stop. Keep going, yeah, keep going.
[33:58.270 --> 34:06.150]  I'm gonna fix this. Oh god, here we go. So there are so many policy elements to this that I think
[34:06.150 --> 34:10.110]  are probably gonna bore a lot of hackers out there watching this stream. Thank you for
[34:10.950 --> 34:14.970]  tolerating this. We won't get into the policy aspects of it, but listen,
[34:14.970 --> 34:21.010]  if we are going to be buying millions of dollars of new devices for a hospital,
[34:21.010 --> 34:27.110]  better do a good job recognizing what risk we are going to be accepting on our networks,
[34:27.110 --> 34:35.110]  right? And that involves a lot of work up front. Vulnerability assessments, you know,
[34:35.110 --> 34:41.630]  there's a thing called the MTSQ form that basically goes through what are all the security
[34:41.630 --> 34:46.530]  controls available on this particular device, how secure out of the box is it, and what do you need
[34:46.530 --> 34:51.230]  to do on the hospital side to make sure when that gets deployed, are you doing so in a way that's
[34:51.230 --> 35:00.130]  most safe for the patients without causing unnecessary and laborious efforts that won't
[35:00.130 --> 35:10.860]  help the patients. Next slide. By the way, most of that stuff in there was connected.
[35:11.880 --> 35:17.120]  All right, listen, we're here at DEF CON, and I'm so amped to be virtually looking at all of
[35:17.120 --> 35:23.300]  you in this room. And I will say, although COVID has been a little bit of a relief to be here with
[35:23.300 --> 35:30.940]  my hacker family, presenting something that I'm passionate about. But listen, we, as mentioned
[35:30.940 --> 35:39.300]  previously, hackers need to step up. We need people to help us in healthcare, basically do
[35:39.300 --> 35:45.420]  the medical device research to help us with best practices, to help secure our networks. There's
[35:45.420 --> 35:50.960]  been some actually some great collaborations between hackers and healthcare in these coalitions
[35:50.960 --> 35:57.460]  where various hackers have pledged to essentially help defend hospitals if they should be under
[35:57.460 --> 36:02.280]  attack, which I think was a very noble thing. You know, hackers really stepped up during COVID.
[36:02.280 --> 36:07.640]  It's been, you know, volunteering to help defend hospitals against adversaries and cyber criminals,
[36:07.640 --> 36:14.540]  or also printing PPE, being there to help with some of the different disinformation that's really
[36:14.540 --> 36:20.820]  going out over social media. And as a consequence, I think this is hopefully something that persists.
[36:20.820 --> 36:27.660]  I hope that COVID, as awful as it is, will help catalyze hackers and healthcare coming together.
[36:27.880 --> 36:32.240]  If you're looking for more continued engagement with something like this, and as I mentioned,
[36:32.240 --> 36:35.540]  you can choose for employment, but you can also just do some research. You know, I
[36:35.540 --> 36:40.380]  went to research on medical devices. I buy them off eBay. You can do a lot of that. You can go
[36:40.380 --> 36:45.720]  on offer up and buy some crazy medical devices. As long as you're, you know, doing responsible
[36:45.720 --> 36:51.180]  research, knowing that it's a very big deal, and there's a lot of consequences that you need to
[36:51.180 --> 36:56.320]  take into consideration, we need a lot of your talent out there to help us be more secure. So
[36:56.940 --> 37:02.660]  please, please join. You can also, Biohacking Village is one of the DEF CON villages.
[37:02.800 --> 37:07.400]  We really encourage you to check it out. All right, listen, I don't think we should make
[37:07.400 --> 37:12.680]  all doctors aware of cybersecurity, make them experts. It's just not, it's not for purview.
[37:12.680 --> 37:18.260]  And honestly, I've been too busy driving Ferraris. Just kidding, I don't have a Ferrari.
[37:18.980 --> 37:25.220]  Only cardiologists have Ferraris. But what we need is, we need more nurses, we need more doctors
[37:25.220 --> 37:30.860]  in this space, because when you change the conversation from, this is just patient data
[37:30.860 --> 37:35.060]  that we want to secure, hey, we just want to get a violation or a purported breach,
[37:35.060 --> 37:41.320]  to the NICU, the head NICU nurse saying, hey, listen, if this medical device doesn't work,
[37:41.320 --> 37:46.000]  it's not available, or if the integrity of the data coming from this has been compromised,
[37:46.000 --> 37:53.660]  this little 30-week-old baby premature in this incubator is going to suffer. That's the type
[37:53.660 --> 37:57.060]  of conversation we need to have by partnering with clinicians. And you know what, it's going
[37:57.060 --> 38:01.340]  to require some patience on our side as hackers. They don't speak our language, just like you
[38:01.340 --> 38:06.300]  often don't speak theirs. Coming together in these interdisciplinary teams, working together,
[38:06.300 --> 38:12.800]  going to be able to make people change their minds about what security means in healthcare,
[38:12.800 --> 38:19.120]  not just HIPAA, not just privacy, but also patient safety. Next slide.
[38:29.100 --> 38:34.260]  All right, I'm going to finish up after this little bit. So, and open up for some questions,
[38:34.260 --> 38:38.540]  if anyone has it. So, you know, how many out there are familiar with last mile problem?
[38:38.580 --> 38:43.320]  Just throw something out. Many industries have last mile problems. Yeah, so I'm not going to
[38:43.320 --> 38:47.720]  I'm pretty sure if I tried to describe it in detail, I'm going to butcher it. So just forgive
[38:47.720 --> 38:54.280]  me as I do butcher this. But in many industries, it's not necessarily... there are certain parts
[38:54.280 --> 38:59.420]  of delivering things to consumers, for example, that are hard. And they might not be what you
[38:59.420 --> 39:06.500]  think. So, for example, when you're shipping goods that are manufactured in a different country,
[39:06.500 --> 39:13.840]  you know, you can make the particular product, and you can put it in a container ship,
[39:13.840 --> 39:18.220]  and you can actually go across an entire ocean and it goes. So you can imagine all the logistics
[39:18.220 --> 39:22.460]  involved in that. But guess what? All these companies that are doing that actually don't
[39:22.460 --> 39:27.360]  dread all that stuff. They dread the last mile, which is how do you get it from the distribution
[39:27.360 --> 39:33.900]  center into someone's home? It's a classic problem with ISPs. There's so many variations
[39:33.900 --> 39:39.000]  and addresses and buildings that are built differently, et cetera, that the last mile
[39:39.000 --> 39:45.420]  ends up being the hardest part. Well, healthcare has the last... healthcare security has the last
[39:45.420 --> 39:48.480]  mile problem. And I'm going to talk to you about it right now. Next slide.
[39:50.540 --> 39:51.820]  Oh, can you...
[40:05.950 --> 40:15.690]  So, let's imagine we have an awesome hacker. She's donating her expertise. She buys a device
[40:15.690 --> 40:22.130]  off of eBay. And she finds a vulnerability in it. She finds a nasty vulnerability that
[40:22.130 --> 40:27.750]  potentially kills somebody in a medical device that she buys off of eBay. Who does she go and
[40:27.750 --> 40:27.970]  talk to? Who does she go and talk to? Who does she go and talk to? Who does she go and talk to?
[40:27.970 --> 40:33.930]  Well, she probably will engage in responsible coordinated disclosure. I know that there's
[40:33.930 --> 40:40.310]  the language of that or what we used to describe as controversial. And in any regards, she's
[40:40.310 --> 40:45.610]  elected to do responsible coordinated disclosure. She goes to the medical device manufacturer.
[40:45.930 --> 40:49.030]  So, what is the medical device manufacturer going to do? Next slide.
[40:59.610 --> 41:06.250]  Here we go. Medical device manufacturer is obligated to respond to that, right? They've
[41:06.250 --> 41:10.610]  been plenty of documented examples of medical device manufacturers that screwed this up,
[41:10.610 --> 41:15.170]  you know, threatened to sue researchers or ignored them. But that hasn't panned out very
[41:15.170 --> 41:20.150]  well for them. And the FDA has come down pretty hard on those companies. So, as a consequence,
[41:20.290 --> 41:25.370]  a lot of them are changing and they're actually engaging attackers. What does the medical device
[41:25.370 --> 41:29.910]  manufacturer have to do? Well, they're obligated to report that to the regulator, which in this
[41:29.910 --> 41:34.870]  case on medical devices ends up being the FDA. Well, the FDA is like, damn, this vulnerability
[41:34.870 --> 41:38.230]  is nasty. We don't want any patients to get hurt. So, they're going to issue what's called a safety
[41:38.230 --> 41:45.350]  communication. They have to, and a lot of this is really hard, they can get out there and tell
[41:45.350 --> 41:52.010]  patients and doctors and hospitals that they have to worry about this device. And let's imagine that
[41:52.010 --> 41:56.990]  goes off without a hitch, which has never happened before. You know, it's never an easy thing to do,
[41:56.990 --> 42:01.650]  but let's imagine they do a great job and everyone that has that device is made aware of that.
[42:01.650 --> 42:15.810]  Next slide. So, the medical manufacturer and the regulator are like, oh man, it's even so
[42:15.810 --> 42:22.030]  concerning that we've got to issue a patch. Well, patching systems, you know, it's not controversial
[42:22.030 --> 42:28.130]  from a hacker perspective in most cases, but one of these edge cases where it is controversial,
[42:28.130 --> 42:34.050]  one of them is medical devices. But what if you poorly test your patch and actually cause some
[42:34.050 --> 42:38.350]  type of clinical harm because you're patching something and you didn't do a good job testing
[42:38.350 --> 42:44.290]  patch and actually the medical device malfunctions and hurts someone? Or there are all sorts of
[42:44.290 --> 42:48.490]  different things, like how are you going to actually patch something that's in a human being?
[42:48.530 --> 42:52.810]  You know, there are tens of thousands of, you know, tens of thousands of patients all across
[42:52.810 --> 42:56.770]  the globe that have implantable medical devices. You're going to call them all into the doctor's
[42:56.770 --> 43:02.030]  office and get their systems patched? Yeah, you get there and say yes, but it's a much harder thing
[43:02.030 --> 43:09.430]  to do than to say, let's imagine they are so on the ball and this medical infrastructure has
[43:09.430 --> 43:14.050]  patched this vulnerability and they've done it in record time and the patch is fantastic.
[43:14.490 --> 43:19.770]  They have to roll that out. And this is where the last mile problem is. How do we get
[43:19.770 --> 43:27.690]  from patching a medical device and get it to the actual patient? Because in this slide,
[43:27.690 --> 43:33.690]  last part is the clinicians, right? The doctors and nurses have to call those patients in and
[43:33.690 --> 43:40.030]  they got to put this magnetic interface onto their chest and they have to update the software.
[43:40.150 --> 43:47.030]  Next slide. Well, guess what? I think many of you out there know that's just not going to happen.
[43:47.130 --> 43:50.910]  It should happen, but it's not going to happen or it's not going to happen in any significant
[43:50.910 --> 43:56.890]  percentages because this last mile problem is really hard. We have a registry of patients that
[43:56.890 --> 44:02.550]  have these implantables, but guess what? Half the phone numbers aren't up to date or it was
[44:02.550 --> 44:06.650]  implanted, you know, eight years ago and they moved and we have no idea how to send them a letter
[44:06.650 --> 44:10.990]  or these doctors say, this is stupid. I'm not going to actually do this. It's such a pain in
[44:10.990 --> 44:15.810]  the butt patch or I don't think this is really an issue. And as you can see, we have this last
[44:15.810 --> 44:20.890]  mile problem. We can do all this great work and everything can go off perfectly. But if we don't
[44:20.890 --> 44:26.550]  get patients and doctors together and tell them why this is important and have them understand it
[44:26.550 --> 44:34.010]  and advocate for security, it's just not going to happen. All right, next slide. So I'm at 42.
[44:34.490 --> 44:40.530]  You guys are probably thinking to yourself, you know, we can just go to the end of the question
[44:40.530 --> 44:45.110]  slide. You're probably thinking to yourself, man, why did I get myself into this crazy ass talk? I
[44:45.110 --> 44:49.590]  was looking in here for overflows. Why are we talking about this crazy healthcare stuff? But
[44:49.590 --> 44:53.590]  I want to say I want to thank you for this opportunity. Thank you, Defcon Groups. Thank
[44:53.590 --> 44:58.670]  you DCA 58619 for letting me talk about this stuff that's near and dear to my heart. And this
[44:58.670 --> 45:03.110]  isn't the end of the conversation. I'm on Twitter, hit me up somewhere. If you're interested in this
[45:03.110 --> 45:08.290]  space, there's a lot we can do together to help. And you know, how often do you get a chance to
[45:08.290 --> 45:15.410]  use your skills for more than just privacy and security to really potentially save a life? That's
[45:15.530 --> 45:20.170]  a big, big deal. I want to say thank you for what you do. I miss my family. And if next year's plague
[45:20.170 --> 45:37.640]  is gone, I want to buy you all a beer in Vegas. Questions? I have a question. Yeah. What are some
[45:37.640 --> 45:42.660]  of the groups that are valuable for people to reach out to you to help solve this problem?
[45:43.560 --> 45:46.880]  Yeah, great question. So for those who didn't hear the question, it was what groups are...
[45:48.120 --> 45:52.920]  you can go all the way to the end to the question slide. The very last slide, please. The question
[45:52.920 --> 45:58.120]  was, what groups should I get involved with if I'm interested in this? There's the Biohacking
[45:58.120 --> 46:02.120]  Village group, which has an ongoing presence throughout the year. There's a group called
[46:02.120 --> 46:05.940]  Eye on the Calvary. I don't know how many of you out there are familiar with this, but they are
[46:05.940 --> 46:12.340]  really a great organization that gets a lot of attention and is able to persuade a lot of
[46:12.340 --> 46:18.840]  regulators like the FDA and other industries. There's a lot of power and a lot of awesome work
[46:18.840 --> 46:23.160]  being done with Eye on the Calvary, things like Bo Wood and Josh Corman, and there's a lot in that
[46:23.160 --> 46:27.180]  space. If you want to get involved in that, they have Slack that they'll invite you to.
[46:27.220 --> 46:33.040]  They don't just do medical, so if you're into hacking cars or airplanes, all sorts of things,
[46:33.040 --> 46:41.800]  but you want to also use your powers for good. Go to the next slide. Definitely check out that
[46:41.800 --> 46:56.250]  organization. All right. Another question? All right. Cool. Hit me up on Discord if you
[46:56.250 --> 47:00.490]  have any more. Again, this is a true, true honor. Take care, everyone. Thank you.
